[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Attitude and Assumptions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A thoughtful essay by Jon Callas on the trials and tribulations of being a
crypto start-up company.
Before I get into commenting on parts of Jon's message, let me first make
some very general points.
First, I don't think PGP, Inc. is being picked on. It announced a new
product this month, one with obvious implications and resonances for and
with the whole key recovery/key escrow/GAK debate.
Second, for us not to pick it apart would be "out of character"
(considering past critical remarks directed toward Netscape (ask the
Weinstein brothers), toward Microsoft (ask the MS employees who mostly post
from non-MS accounts), toward Cybercash, toward First Virtual, toward
RSADSI, and on and on. (And the Cypherpunks list was not even in the lead
in picking on PGP for Business, as the comments by Bruce Schneier, Simson
Garfinkel, etc. show.)
Third, several of us have reititerated the basic point that *of course* an
employer or corporation owner has every right to insist that his employees
use a particular product, submit to searches of their breifcases, have
their phone calls monitored, wear funny costumes, and so on. Only a couple
of people have even hinted that the issue is some kind of "workers rights"
thing.
Fourth, though employers may wish to insist on this kind of message
recovery, there are obvious dangers. Not the least of which is that the
voluntary aspects may cease to be voluntary (in terms of the government
mandating archival of all corporation messages, analogous to requirements
for audit trails, OSHA compliance, receipts, cash register records, etc.).
Fifth, it thus behooves us to think about these issues. That there will be
issues to consider, and public debate, is shown by the comments here and
the comments from Schneier, Garfinkel, etc. And even Phil Zimmermann, when
discussing a very similar product from ViaCrypt, basically said
(paraphrasing from memory): "Call it what you like, but it violates the
spirit of PGP, so don't call it PGP." Amen to that.
(Personally, I'll be real disappointed if Chairman Phil sends us a
Zimmermann Telegram (TM) telling us that the ViaCrypt and PGP products are
actually not all alike. "Pay no attention to the man behind the curtain.")
Sixth, besides all of these issues, there are interesting questions about
whether this form of "encrypting to a corporate key" is very useful or
addresses the right problem. (I happen to believe that the "what if Joe is
hit by a truck?" issue is better solved with other tools, and the "what if
Joe is sending corporate secrets outside the company?" issue is not at all
addresses with PGP for Business (as Joe will either stego encrypt, or, even
better, will just carry out gigabytes in a CD or DAT and use a non-company
account).
Anyway, I guess I don't need to comment paragraph by paragraph on Jon's
points. I'm happy that he's commenting here on the list.
- --Tim May
The Feds have shown their hand: they want a ban on domestic cryptography
- ---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Higher Power: 2^2,976,221 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBND78j1K3AvrfAt9qEQL4pgCfQqH86oZ8phNCo45ZNFRj2AX8ogYAoLjG
0d/WpUBVhv4NXPsfo/dbsa59
=88Cn
-----END PGP SIGNATURE-----